Configure Mobile SSO for iOS Authentication

<

You configure the Mobile SSO for iOS authentication method from the Auth Methods page in the administration console. Select the Mobile SSO (for IOS) authentication method to use in the built-in identity provider.

Prerequisites

Certificate authority PEM or DER file used to issue certificates to users in the AirWatch tenant.

For revocation checking, the OCSP responder's signing certificate.

For the KDC service select, the realm name of the KDC service. If using the built-in KDC service, the KDC should be initialized. See the Installing and Configuring VMware Identity Manager for the built-in KDC details.

Procedure

In the Identity & Access Management tab, go to Manage > Auth Methods.

In the Mobile SSO (for iOS) Configure column, click the icon.

Configure the Kerberos authentication method.

Option

Description

Enable KDC Authentication

Select this check box to enable users to sign in using iOS devices that support Kerberos authentication.

Realm

If you are using the cloud hosted KDC, enter the pre-defined supported realm name that is supplied to you. The text in this parameter must be entered in all caps. For example, OP.VMWAREIDENTITY.COM

If you are using the built-in KDC, the realm name that you configured when you initialized the KDC displays.

The realm value is read-only. The realm entered here is the identity manager realm name for your tenant.

Root and Intermediate CA Certificate

Upload the certificate authority issuer certificate file. The file format can be either PEM or DER.

Uploaded CA Certificate Subject DNs

The content of the uploaded certificate file is displayed here. More than one file can be uploaded and whatever certificates that are included are added to the list.

Enable OCSP

Select the check box to use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate.

Send OCSP Nonce

Select this check box if you want the unique identifier of the OCSP request to be sent in the response.

OCSP Responder’s Signing Certificate

Upload the OCSP certificate for the responder.

When you are using the AirWatch Certificate Authority, the issuer certificate is used as the OCSP certificate. Upload the AirWatch certificate here as well.

OCSP Responder’s Signing Certificate Subject DN

The uploaded OCSP certificate file is listed here.

Enable Cancel Link

When authentication is taking too long, give the user the ability to click Cancel to stop the authentication attempt and cancel the sign-in.

When the Cancel link is enabled, Cancel appears at the end of the authentication error message that displays.

Cancel Message

Create a custom message that displays when the Kerberos authentication is taking too long. If you do not create a custom message, the default message is Attempting to authenticate your credentials.